When the numbers smile and the projects frown: restoring oversight
Long term contracts need hard evidence. Boards must trace claims from project files to accounts and test them against facts.
Boardroom Premium
Who’s missing from your audit and risk committee?
Less audit, more risk: effective committees require broader capability and diversity of thought.
For many boards the starting point when forming an audit and risk committee is obvious: find the accountants.
Strong financial literacy is essential. Oversight of financial statements, internal controls and the external audit require technical competence and confidence in the language of accounting. The NZX Corporate Governance Code expects the audit committee to comprise solely non-executive directors, the majority of whom are independent, and to include at least one member with accounting or financial expertise. Many boards appoint former CFOs, audit partners or experienced directors with deep financial backgrounds.
But that is not the full story. As the Office of the Auditor-General has noted, audit and risk committees are perhaps better described as “risk and assurance” committees. Their primary focus is risk – providing assurance to the board that the organisation’s most significant risks are being identified, understood and managed in a way that supports strategic objectives and long-term performance. Financial reporting is central to that role, but it is only one dimension.
Risk is anything that might get in the way of achieving organisational strategy and sustaining enterprise value. Equally, robust risk oversight can illuminate strategic opportunity, not just downside exposure. Framed this way, the audit and risk committee’s oversight extends far beyond the numbers.
Today’s committees are grappling with cybersecurity, data governance, climate impacts, regulatory change, fraud risk, supply chain resilience, organisational culture and talent capability. In many organisations, enterprise risk management sits squarely within the committee’s oversight. They must also understand how these risks translate into financial consequences. Financial acumen alone is not enough.
The value of differing perspectives is something the Auditor-General has spoken about directly. Asking the non-financial questions can be just as valuable as interrogating the numbers. Different perspectives strengthen governance, particularly when there is a culture that genuinely values challenge.
A committee composed entirely of financial experts may be technically strong, but it can also be susceptible to shared assumptions and blind spots. Members trained in similar disciplines may frame issues in similar ways. Emerging risks, particularly those outside traditional financial reporting, may not receive the depth of challenge they deserve.
As the remit of the audit and risk committee expands, so too must the range of skills around the table.
Cybersecurity is a case in point. It is now widely recognised as a risk priority. Effective oversight requires more than management assurance that controls are in place
It requires someone who understands digital infrastructure, threat landscapes and the difference between compliance and genuine resilience. They must also understand the potential financial exposure arising from system outages, data loss, regulatory penalties, ethical issues and reputational damage.
The same is true of climate risk and resilience. As climate-related disclosures and expectations evolve, committees need the ability to scrutinise underlying assumptions, data quality and scenario modelling. A purely financial lens may not be sufficient to probe these areas or to test whether anticipated financial impacts are being appropriately reflected in strategy, capital allocation and financial statement assumptions.
Diversity of thought can enhance monitoring, reduce groupthink and strengthen challenge. Boards with varied professional backgrounds bring skills and perspectives, improving decision-making and oversight.
For audit and risk committees, competence must be interpreted broadly. Independence and financial literacy remain foundational. But competence today also encompasses enterprise risk frameworks, familiarity with internal control environments, insight into fraud risk and ethical culture, awareness of data governance and technology threats, understanding of climate-related physical and transition risks and opportunities, and the ability to connect risk information to strategic objectives and financial performance.
New Zealand’s Office of the Auditor-General emphasises that effective risk management requires not only a framework and infrastructure, but consistent application and meaningful information for governors to monitor risk. That monitoring function requires directors who can interrogate dashboards, challenge assumptions and test whether risk is genuinely within appetite, not merely reported as such.
This is where the mindset of committee members becomes as important as their technical qualifications. Effective audit and risk committee members bring independence, scepticism and a willingness to ask difficult questions. They are prepared to probe management on uncomfortable issues. They understand that assurance is not the same as comfort. For that challenge to be effective, the committee must operate as a safe forum for constructive scrutiny and mutual learning between management and directors.
Committees that add value are those that create space for robust discussion and are equipped with the range of skills necessary to test management’s thinking across financial and non-financial domains.
Boards should periodically review the composition of their audit and risk committee against the organisation’s evolving risk profile.
-
- Do we have sufficient depth in financial reporting expertise?
- Do we also have capability in technology and cybersecurity?
- Do we understand our exposure to climate-related risk and the implications for strategy and capital allocation?
- Are we equipped to oversee culture and conduct risk?
- Is there enough diversity of perspective to enable genuine challenge?
In some cases, the answer may lie in broadening the skills matrix used for appointments. In others, it may involve targeted professional development or the strategic use of external advisers. What matters is that the committee’s capability keeps pace with the organisation’s risk landscape.
Audit and risk committees sit at the intersection of strategy, risk and assurance. Increasingly, their mandate is less about audit alone and more about enterprise risk and resilience. Their effectiveness depends not only on financial expertise, but on the diversity of insight and experience around the table. Thinking beyond accountants does not diminish the importance of financial skill. Rather it recognises that in a world of expanding risk, governance strength lies in breadth as well as depth.
Related content
